Mailing List Archive

On Mon, 20 Dec 2004, Thierry Carrez wrote:

> It's a general Gentoo security discussion list.

Well, I wasn't that serious about the question (hence the ;-) smiley) but
I thought that a security list should be a little more "livelier" than
what it currently is.

> Gentoo-related vulnerabilities are submitted to Bugzilla
> (Product=GentooSecurity / Component=Vulnerabilities) and GLSAs are
> posted to gentoo-announce, so it's not the best place to discuss
> security updates, vulnerabilities or GLSA errors (which should be in
> Bugzilla Gentoo Security / Component="GLSA Errors").

Ok, I'm new to gentoo. GLSA=GentooLinuxSecurityAnnouncement?

> We discuss major security policy changes here, and also have discussions
> on the general subject of Gentoo and Security (like the use of MD5 only
> in portage, or the lack of tree signing). You can post general security
> subjects here but you might find the list a little quiet for this and
> prefer to post to another list with wider audience (like the
> securityfocus ones).

So what's up with the md5 -> pgp-signing of packages/sources?
And why is there no basic firewall rules applied in gentoo? (I may have
missed something)

> It's true this list may have a too narrow purpose, especially with the
> existence of the gentoo-hardened and gentoo-server lists which overlap
> parts of it...

I thought gentoo-hardened was the paranoid sysop's list with everything
locked down, down to a near unusable machine. ;-)
Well, I would like to move closer to a hardened machine in the future but
not right now; I have other, more pressing, goals.

Perhaps gentoo-hardened and gentoo-security could be combined?

Best regards

Peter K

--
We Can Put an End to Word Attachments:
http://www.fsf.org/philosophy/no-word-attachments.html

--
gentoo-security@gentoo.org mailing list

On Mon, Dec 20, 2004 at 12:28:03PM +0100, Peter Karlsson wrote:
> Well, I wasn't that serious about the question (hence the ;-) smiley)

Since when do smiley's diminish the notion of seriousness? ;)


luke
--
Luke Macken <lewk@gentoo.org>

>>Well, I wasn't that serious about the question (hence the ;-) smiley)
>>
>>
>Since when do smiley's diminish the notion of seriousness? ;)
>
>
Since they were invited? :) If I remember right, it was main purpose.
Depends on what smile it is.

Lami

--
gentoo-security@gentoo.org mailing list

Peter Karlsson wrote:

> Ok, I'm new to gentoo. GLSA=GentooLinuxSecurityAnnouncement?

Yes.

> So what's up with the md5 -> pgp-signing of packages/sources?

Double hashing (SHA1+MD5) and GPG-signing of Manifests (and getting all
/usr/portage files signed at some point) are all under way. I still hope
at least one of those projects will be finished by 2005.0 release.

> And why is there no basic firewall rules applied in gentoo? (I may have
> missed something)

You mean having some sort of default firewall protection after a default
install ? I don't think we'll do it. A stage 3 leaves you with no
services running so basically you don't need a default firewall. If you
switch services on you should probably get one, but that "probably"
means some user don't need one and will not clutter their machine with
it. As Gentoo is about choice, we keep everything "optional" and the
system profile to a bare minimum.

> I thought gentoo-hardened was the paranoid sysop's list with everything
> locked down, down to a near unusable machine. ;-)

Hardened machines are not unusable. They just run one of the hardened
kernels with some security features enabled. This ranges from a simple
GRSEC/PaX hardening to a full SELinux permission-based system.

> Well, I would like to move closer to a hardened machine in the future but
> not right now; I have other, more pressing, goals.
>
> Perhaps gentoo-hardened and gentoo-security could be combined?

They could. I don't follow the hardened list so I don't know if they
suffer from the same traffic problem as we do. Probably there are the
usual support requests that keep it alive...

--
Koon

--
gentoo-security@gentoo.org mailing list

On Mon, 20 Dec 2004 17:25:49 +0100
Thierry Carrez <koon@gentoo.org> wrote:

> Peter Karlsson wrote:
>
> > Ok, I'm new to gentoo. GLSA=GentooLinuxSecurityAnnouncement?
>
> Yes.
>
> > So what's up with the md5 -> pgp-signing of packages/sources?
>
> Double hashing (SHA1+MD5) and GPG-signing of Manifests (and getting
> all/usr/portage files signed at some point) are all under way. I still
> hope at least one of those projects will be finished by 2005.0
> release.

You saw the mail I sent to -dev about the problems with SHA1 digests a
few weeks ago? Basically it requires a new portage release for
devs and *all* users *have to* use >=portage-2.0.51. Unlikely that will
be done by 2005.0, maybe 2005.1.

Marius

--
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

On Mon, 20 Dec 2004, Thierry Carrez wrote:

> > So what's up with the md5 -> pgp-signing of packages/sources?
>
> Double hashing (SHA1+MD5) and GPG-signing of Manifests (and getting all
> /usr/portage files signed at some point) are all under way. I still hope
> at least one of those projects will be finished by 2005.0 release.

Good to know.

> You mean having some sort of default firewall protection after a default
> install ? I don't think we'll do it. A stage 3 leaves you with no
> services running so basically you don't need a default firewall. If you
> switch services on you should probably get one, but that "probably"
> means some user don't need one and will not clutter their machine with
> it. As Gentoo is about choice, we keep everything "optional" and the
> system profile to a bare minimum.

Well, I just thought a minimal firewall script would be handy for those
that installs X for instance... and also for paranoid geeks like me. ;-)

> > I thought gentoo-hardened was the paranoid sysop's list with everything
> > locked down, down to a near unusable machine. ;-)

> Hardened machines are not unusable. They just run one of the hardened
> kernels with some security features enabled. This ranges from a simple
> GRSEC/PaX hardening to a full SELinux permission-based system.

I wasn't serious when I said unusable, although a hardened machine could
be made unusable, if you're not careful. I'm planning on doing a
semi-hardening myself when I can find the time (this of course involves
doing a full re-install).

> > Perhaps gentoo-hardened and gentoo-security could be combined?
>
> They could. I don't follow the hardened list so I don't know if they
> suffer from the same traffic problem as we do. Probably there are the
> usual support requests that keep it alive...

Probably.

Merry x-mas & a happy new year to all!

Peter K

--
We Can Put an End to Word Attachments:
http://www.fsf.org/philosophy/no-word-attachments.html

--
gentoo-security@gentoo.org mailing list